Systems and methods for managing security events using a graphical user interface

ABSTRACT

Example implementations include a method, apparatus and computer-readable medium for managing security events via a graphical user interface (GUI), comprising receiving an indication of a first security event occurring in an environment, determining a priority value of the first security event, and creating a first identifier of the first security event, wherein the first identifier is a visual icon of a given shape. The implementations further include assigning a size and color to the first identifier of the first security event based on the priority value and generating, for display on the GUI, the first identifier of the first security event, wherein the GUI is configured to display identifiers of one or more security events in a selectable layout of a plurality of selectable layouts, wherein selection of the first identifier generates a panel of selectable actions that can be executed to address the first security event.

TECHNICAL FIELD

The described aspects relate to security systems.

BACKGROUND

Aspects of the present disclosure relate generally to security systems,and more particularly, to managing security events using a graphicaluser interface.

Conventional security systems often list sensor data in clunkyinterfaces—in some cases simply listing data without indicating whichdata needs to be viewed first. Users that monitor this data may facelife-threatening or urgent security events (e.g., fires, intrusions,etc.) that need to be presented immediately and in a manner that directsthe attention of a user to the event.

SUMMARY

The following presents a simplified summary of one or more aspects inorder to provide a basic understanding of such aspects. This summary isnot an extensive overview of all contemplated aspects, and is intendedto neither identify key or critical elements of all aspects nordelineate the scope of any or all aspects. Its sole purpose is topresent some concepts of one or more aspects in a simplified form as aprelude to the more detailed description that is presented later.

An example implementation includes a method for managing security eventsvia a graphical user interface (GUI), including receiving an indicationof a first security event occurring in an environment, wherein the firstsecurity event is detected by at least one sensor in the environment.The method further includes determining a priority value of the firstsecurity event based on a type of the first security event.Additionally, the method further includes creating a first identifier ofthe first security event, wherein the first identifier is a visual iconof a given shape. Additionally, the method further includes assigning asize and color to the first identifier of the first security event basedon the priority value. Additionally, the method further includesgenerating, for display on the GUI, the first identifier of the firstsecurity event, wherein the GUI is configured to display identifiers ofone or more security events in a selectable layout of a plurality ofselectable layouts. Additionally, the method further includes receivinga selection of the first identifier. Additionally, the method furtherincludes generating, for display, a panel comprising information aboutthe first security event and a plurality of actions to address the firstsecurity event. Additionally, the method further includes receiving aselection of an action from the plurality of actions. Additionally, themethod further includes executing the action to address the firstsecurity event.

Another example implementation includes an apparatus for managingsecurity events via a graphical user interface (GUI), comprising amemory and a processor in communication with the memory. The processoris configured to receive an indication of a first security eventoccurring in an environment, wherein the first security event isdetected by at least one sensor in the environment. The processor isfurther configured to determine a priority value of the first securityevent based on a type of the first security event. Additionally, theprocessor further configured to create a first identifier of the firstsecurity event, wherein the first identifier is a visual icon of a givenshape. Additionally, the processor further configured to assign a sizeand color to the first identifier of the first security event based onthe priority value. Additionally, the processor further configured togenerate, for display on the GUI, the first identifier of the firstsecurity event, wherein the GUI is configured to display identifiers ofone or more security events in a selectable layout of a plurality ofselectable layouts. Additionally, the processor further configured toreceive a selection of the first identifier. Additionally, the processorfurther configured to generate, for display, a panel comprisinginformation about the first security event and a plurality of actions toaddress the first security event. Additionally, the processor furtherconfigured to receive a selection of an action from the plurality ofactions. Additionally, the processor further configured to execute theaction to address the first security event.

Another example implementation includes a computer-readable mediumstoring instructions for managing security events via a graphical userinterface (GUI), wherein the instructions are executable by a processorto receive an indication of a first security event occurring in anenvironment, wherein the first security event is detected by at leastone sensor in the environment. The instructions are further executableto determine a priority value of the first security event based on atype of the first security event. Additionally, the instructions arefurther executable to create a first identifier of the first securityevent, wherein the first identifier is a visual icon of a given shape.Additionally, the instructions are further executable to assign a sizeand color to the first identifier of the first security event based onthe priority value. Additionally, the instructions are furtherexecutable to generate, for display on the GUI, the first identifier ofthe first security event, wherein the GUI is configured to displayidentifiers of one or more security events in a selectable layout of aplurality of selectable layouts. Additionally, the instructions arefurther executable to receive a selection of the first identifier.Additionally, the instructions are further executable to generate, fordisplay, a panel comprising information about the first security eventand a plurality of actions to address the first security event.Additionally, the instructions are further executable to receive aselection of an action from the plurality of actions. Additionally, theinstructions are further executable to execute the action to address thefirst security event.

To the accomplishment of the foregoing and related ends, the one or moreaspects comprise the features hereinafter fully described andparticularly pointed out in the claims. The following description andthe annexed drawings set forth in detail certain illustrative featuresof the one or more aspects. These features are indicative, however, ofbut a few of the various ways in which the principles of various aspectsmay be employed, and this description is intended to include all suchaspects and their equivalents.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated into and constitute apart of this specification, illustrate one or more example aspects ofthe present disclosure and, together with the detailed description,serve to explain their principles and implementations.

FIG. 1 is a diagram of a graphics user interface (GUI) depictingsecurity event identifiers based on time of occurrence, in accordancewith exemplary aspects of the present disclosure.

FIG. 2 is a diagram of a GUI depicting security event identifiers basedon priority, in accordance with exemplary aspects of the presentdisclosure.

FIG. 3 is a diagram of a GUI depicting security event identifiersundergoing a priority change, in accordance with exemplary aspects ofthe present disclosure.

FIG. 4 is a diagram of a GUI depicting security event identifiers thatare linked to each other, in accordance with exemplary aspects of thepresent disclosure.

FIG. 5 is a block diagram of a computing device executing a securityvisualization component, in accordance with exemplary aspects of thepresent disclosure.

FIG. 6 is a flowchart illustrating a method of managing security eventsvia a GUI, in accordance with exemplary aspects of the presentdisclosure.

FIG. 7 is a flowchart illustrating a method of adjusting priority valueof a security event, in accordance with exemplary aspects of the presentdisclosure.

FIG. 8 is a flowchart illustrating a method of visually adjusting thesecurity identifier based on priority value, in accordance withexemplary aspects of the present disclosure.

FIG. 9 is a flowchart illustrating a method of increasing priority valuebased on time, in accordance with exemplary aspects of the presentdisclosure.

FIG. 10 is a flowchart illustrating a method of decreasing priorityvalue based on GUI dismissals, in accordance with exemplary aspects ofthe present disclosure.

FIG. 11 is a flowchart illustrating a method of visually linkingsecurity event identifiers based on event relationships, in accordancewith exemplary aspects of the present disclosure.

DETAILED DESCRIPTION

Various aspects are now described with reference to the drawings. In thefollowing description, for purposes of explanation, numerous specificdetails are set forth in order to provide a thorough understanding ofone or more aspects. It may be evident, however, that such aspect(s) maybe practiced without these specific details.

The present disclosure includes apparatuses and methods that provide agraphical user interface (GUI) for managing security events. The presentdisclosure describes security identifiers, each of a particular shape,size, and color in accordance with a priority and timestamp of the eventthey correspond to. Urgent events are thus presented on the GUI withlarge and prominent identifiers, whereas trivial events are presented onthe GUI with smaller and subtle identifiers. Depending on how thesecurity event develops and the preferences of the user accessing theGUI, the identifiers may be visually adjusted to improve the efficiencyat which the user manages/resolves the security events.

FIG. 1 is a diagram of a GUI 100 depicting security event identifiersbased on time of occurrence, in accordance with exemplary aspects of thepresent disclosure. GUI 100 may be generated by a security visualizationcomponent 515 (described in FIG. 5 ). A security event may be anoccurrence in an environment that is detected by one or more sensorslocated at the environment. For example, a security event may be adetected fire. The sensors that can trigger this security event mayinclude a carbon monoxide sensor, a fire alarm lever, a heat sensor, asmoke detector, a security camera, etc. Another example of a securityevent may be flooding. The sensors that can trigger this security eventmay include a water detector, a security camera, a water pressure sensorin a pipe, etc. Yet another example of a security event may be an entryinto the environment by an individual. The sensors that can trigger thissecurity event may include a security camera, an infrared sensor, athermal sensor, a sound sensor, a badge scanner, an occupancy countingsystem, etc.

Due to the variety of security events that may arise in an environment,a user (e.g., a security staff member) monitoring a security interfaceneeds to be alert when handling event resolutions (e.g., putting out afire, draining water, granting/denying access). Security visualizationcomponent 515 is configured to generate GUI 100 in a manner that candecrease a search/access time for a user by representing each securityevent with its own identifier and enabling different organizationlayouts. In one example of GUI 100, a situation is illustrated thatincludes 30 security events that are generated for display. The securityidentifiers are circles of an assigned size and color/pattern. Forexample, high-level event 110 has an identifier with the largest sizedcircle and a striped pattern. High-level event 110 may need immediateattention. For example, high-level event 110 may be an intrusion in theenvironment by an unauthorized person. Medium-level event 108 may havethe next largest sized circle and a grid pattern. Medium-level event 108may need to be addressed before low-level event 106 (smallest circlewith no pattern) and after high-level event 110. For example,medium-level event 108 may be an adjustment of a thermostat andlow-level event 106 may be an entry into the environment by anauthorized user. It should be noted that GUI 100 may include securityidentifiers having any one of a plurality of different shapes, icons,colors, and/or patterns.

In the example layout of GUI 100, a view type 102 of “last active cause”is used to organize the identifiers based on when they were lastupdated. View type 102 is a selection of a layout. Other layouts mayinclude, but are not limited to: “requires ack/clr,” in which onlyidentifiers of events that need to be acknowledged (“ack”) or cleared(“clr”) are shown; “priority,” in which identifiers are organized basedon the priority value they are assigned; “partition,” in whichidentifiers are split based on physical locations (e.g., partitions ofthe environment); “initial date/time,” in which identifiers areorganized based on when they were first generated; and “all,” in whichall identifiers are organized in any given order (e.g., alphabetical).In GUI 100, because view type 102 is “last active cause,” the pluralityof identifiers are organized in accordance with timeline 104, whichgroups identifiers in one of “past hour,” “past shift,” “past day,”“past week,” and “beyond past week.” It is noted that the timeline 104of the GUI 100 may be configured with any number of different timegroups having any number of different time periods.

When a user selects an identifier (e.g., high-level event 110), securityvisualization component 515 generates panel 112, which includes detailsabout the event and actions menu 114. For example, in GUI 100,high-level event 110 is described to be event “ABCD,” which has a highpriority level, and involved an unauthorized entity gaining entry intothe environment at 10:12 pm through door 123ABC. Actions menu 114 lets auser dismiss the event (e.g., delete the identifier from GUI 100),resolve the event (e.g., store information about the event as resolvedin a historical events database), or access more options (e.g., viewsecurity footage, alert nearby security on patrol, lock doors, etc.).

A user may also search for specific events using the query box on GUI100. For example, if the user searched for an attribute of high-levelevent 110 (e.g., typed “event ABCD,” “high,” “doors,” “unauthorizedentry,” “break-in,” etc.), only the search results (e.g., in thisexample, including high-level event 110) would be shown on GUI 100.

FIG. 2 is a diagram of GUI 200 depicting security event identifiersbased on priority, in accordance with exemplary aspects of the presentdisclosure. GUI 200 is a version of GUI 100 in which the layout haschanged from view type 102 associated with “last active cause” to viewtype 202 associated with “priority.” More specifically, in this example,a user may select to view the plurality of identifiers based on theirpriority level rather than the last active cause. In view type 202, theplurality of identifiers are organized under two or more configuredlevels, such as but not limited to three levels: low, medium, high. Itshould be noted that the layouts and the classes for each layout areshown in simplicity. One skilled in the art will appreciate that viewtype 202 may include more than three priority levels. As can be seen,the plurality of identifiers in GUI 100 have new positions on the GUI,but retain their size, color/pattern, and priority value.

FIG. 3 is a diagram of GUI 300 depicting security event identifiersundergoing a priority change, in accordance with exemplary aspects ofthe present disclosure. GUI 300 is a version of GUI 200, in which alow-level security event has a change in priority and becomes ahigh-level security event. Priority change 302 may occur due to severalfactors including user preference (e.g., an event is more relevant to aparticular user) and event escalation (e.g., smoke detection has nowbecome a fire detection). For example, a water pressure security eventmay be more relevant to a user that is a plumber than a user that is anelectrician. Accordingly, if security visualization component 515detects that a plumber is accessing GUI 300 instead of an electrician(that was possibly accessing GUI 300 just previously to the plumber),security visualization component 515 may adjust the priority level ofthe water pressure issue event from low to high, which causes a visualadjustment of an identifier representing the event (e.g., larger size,different color/pattern). In some aspects, the priority change 302 maybe depicted as an animation that depicts the enlarging and physicalshift on the GUI 300 of the identifier from priority level “low” topriority level “high.”

FIG. 4 is a diagram of GUI 400 depicting security event identifiers thatare linked to each other, in accordance with exemplary aspects of thepresent disclosure. GUI 400 is a version of GUI 100 that furtherdisplays links between events. For example, one event may be connectedto another by cause and effect (e.g., short-circuiting device may leadto a fuse, which may lead to a router shutting down, which may lead tosensors disconnecting from the Internet access, etc.). When a userselects any identifier that is linked to another identifier, securityvisualization component 515 may generate panel 402 for display. Panel402 includes a chain of events that visually connects the identifiersfor easy viewing. This layout enables a user to resolve one event andautomatically resolve the others. For example, if the user selects andexecutes an action that resets the electrical panel of the environment,the router will automatically start stabling the Internet connection,and all other sensors will be able to connect to the Internet again.This way the user does not have to resolve each event individually andcan gain access to the root cause of multiple events.

Referring to FIG. 5 and FIG. 6 , in operation, computing device 500 mayperform a method 600 of managing security events via a graphical userinterface (GUI), by such as via execution of security visualizationcomponent 515 by processor 505 and/or memory 510. FIG. 6 is a flowchartillustrating a method 600 of managing security events via a GUI, inaccordance with exemplary aspects of the present disclosure.

At block 602, the method 600 includes receiving an indication of a firstsecurity event occurring in an environment, wherein the first securityevent is detected by at least one sensor in the environment. Forexample, in an aspect, computing device 500, processor 505, memory 510,security visualization component 515, and/or receiving component 520 maybe configured to or may comprise means for receiving an indication of afirst security event occurring in an environment, wherein the firstsecurity event is detected by at least one sensor in the environment.

The environment may be any physical location where a plurality ofsensors for access control are set up. For example, the environment maybe a college campus or an office building. Examples of sensors include,but are not limited to, cameras, temperature sensors, water sensors,biometric scanners, door locks, and lights. The first security event maybe detection of a fire and may be generated based on a combination ofsensor data (e.g., fire alarm, camera depicting a fire, etc.). Securityvisualization component 515 may receive the indication from a securitymodule that parses such sensor data to generate security events.

At block 604, the method 600 includes determining a priority value ofthe first security event based on a type of the first security event.For example, in an aspect, computing device 500, processor 505, memory510, security visualization component 515, and/or determining component525 may be configured to or may comprise means for determining apriority value of the first security event based on a type of the firstsecurity event.

There may be a finite number of security event types stored in memory510. In some aspects, the type of the security event is determined bythe security module that generated the security event. In other aspects,security visualization component 515 may classify the type of thesecurity event into one of the finite number of security event types.For example, the first security event of a fire detection may beclassified as a “fire hazard.” Other examples of security event typesmay include “authorized entry,” “unauthorized entry,” “water hazard,”“electrical outage,” “connectivity issue.”

Determining component 525 may retrieve the priority value from adatabase comprising a list of types of security events and correspondingpriority values. The database may be stored in memory 510. For example,in the database, “fire hazard” may be associated with a priority valueof “high,” “authorized entry” may be associated with a priority value of“low,” “connectivity issue,” may be associated with a priority value of“medium.” It should be noted that the priority values of “low,”“medium,” and “high” are described for simplicity. A priority value maybe any quantitative or qualitative assessment of an event's importancerelative to another set of events.

At block 606, the method 600 includes creating a first identifier of thefirst security event, wherein the first identifier is a visual icon of agiven shape. For example, in an aspect, computing device 500, processor505, memory 510, security visualization component 515, and/or creatingcomponent 530 may be configured to or may comprise means for creating afirst identifier of the first security event, wherein the firstidentifier is a visual icon of a given shape.

At block 608, the method 600 includes assigning a size and color to thefirst identifier of the first security event based on the priorityvalue. For example, in an aspect, computing device 500, processor 505,memory 510, security visualization component 515, and/or assigningcomponent 535 may be configured to or may comprise means for assigning asize and color to the first identifier of the first security event basedon the priority value.

The database that maps priority values may also include a size,color/pattern, or shape that the particular event type should have. Forexample, the first security event may be represented by a firstidentifier that is shaped as a large circle and has a striped pattern asits fill (e.g., comparable to the identifier of high-level event 110 inFIG. 1 ). The visual icon gives the event a prominence over other eventidentifiers, which can direct the attention of a user to the event.

At block 610, the method 600 includes generating, for display on theGUI, the first identifier of the first security event, wherein the GUIis configured to display identifiers of one or more security events in aselectable layout of a plurality of selectable layouts. For example, inan aspect, computing device 500, processor 505, memory 510, securityvisualization component 515, and/or generating component 540 may beconfigured to or may comprise means for generating, for display on theGUI, the first identifier of the first security event, wherein the GUIis configured to display identifiers of one or more security events in aselectable layout of a plurality of selectable layouts. For example,generating component 540 may generate an identifier on GUI 100 (e.g., anidentifier comparable to high-level event 110) in the “past hour”region. In some aspects, the selectable layout organizes the identifiersof the one or more identifiers based on one of: respective priorityvalue, time of occurrence, and a location of occurrence.

At block 612, the method 600 includes receiving a selection of the firstidentifier. For example, in an aspect, computing device 500, processor505, memory 510, security visualization component 515, and/or receivingcomponent 520 may be configured to or may comprise means for receiving aselection of the first identifier. For example, a user may select theidentifier representing high-level event 110 using a touchscreen, amouse, a gesture analyzing camera, or any interfacing component ofcomputing device 500 where GUI 100 is generated.

At block 614, the method 600 includes generating, for display, a panelcomprising information about the first security event and a plurality ofactions to address the first security event. For example, in an aspect,computing device 500, processor 505, memory 510, security visualizationcomponent 515, and/or generating component 540 may be configured to ormay comprise means for generating, for display, panel 112 comprisinginformation about the first security event and a plurality of actions(e.g., actions menu 114) to address the first security event.

At block 616, the method 600 includes receiving a selection of an actionfrom the plurality of actions. For example, in an aspect, computingdevice 500, processor 505, memory 510, security visualization component515, and/or receiving component 520 may be configured to or may comprisemeans for receiving a selection of an action from the plurality ofactions. For example, the user may select an action that activates awater sprinkling system in the partition of the environment where thefire is detected.

At block 618, the method 600 includes executing the action to addressthe first security event. For example, in an aspect, computing device500, processor 505, memory 510, security visualization component 515,and/or executing component 545 may be configured to or may comprisemeans for executing the action to address the first security event. Forexample, executing component 545 may command the water sprinkler systemto activate the water.

FIG. 7 is a flowchart illustrating a method 700 of adjusting priorityvalue of a security event, in accordance with exemplary aspects of thepresent disclosure that may operate in association with method 600.

In an optional aspect, referring to FIG. 7 , at block 702, the method700 includes identifying a user of the GUI. For example, in an aspect,computing device 500, processor 505, memory 510, security visualizationcomponent 515, and/or identifying component 570 may be configured to ormay comprise means for identifying a user of the GUI.

In some aspects, a user may log into a profile when using the GUI.Identifying component 570 may identify the user based on the usercredentials of the profile. The login credentials may be a facial image,a username/password combination, an iris image, a voice pattern, afingerprint, etc.

At block 704, the method 700 includes retrieving a user profile of theuser, wherein the user profile indicates identifier selectionshistorically made by the user on the GUI. For example, in an aspect,computing device 500, processor 505, memory 510, security visualizationcomponent 515, and/or retrieving component 575 may be configured to ormay comprise means for retrieving a user profile of the user, whereinthe user profile indicates identifier selections historically made bythe user on the GUI.

For example, whenever a user logs in to the GUI, security visualizationcomponent 515 may record the actions that the user makes on the GUI inmemory 510. For example, a user may dismiss an identifier, reset asensor, alert a patrolling officer, adjust the layout into a particularuser type, access information for a particular type of event, etc.

At block 706, the method 700 includes determining a relevance of thetype of the first security event to the user, wherein the relevance is alikelihood of the user selecting the first identifier based on theidentifier selections historically made by the user. For example, in anaspect, computing device 500, processor 505, memory 510, securityvisualization component 515, and/or determining component 525 may beconfigured to or may comprise means for determining a relevance of thetype of the first security event to the user, wherein the relevance is alikelihood of the user selecting the first identifier based on theidentifier selections historically made by the user.

For example, if the user has made 70 identifier selections on the GUIand 35 identifiers are of a “fire hazard” type, the likelihood of theuser accessing a “fire hazard” type event is 50%. Suppose that the userfurther dismisses 20 of the non-“fire hazard” type events. This impliesthat the user is not interested in those events. The likelihood of theuser accessing those event types decreases and the likelihood of theuser accessing “fire hazard” type events increases.

In some aspects, security visualization component 515 analyzes the usagehabits (e.g., identifier selections) of the user in a particular periodof time to get the latest habits. For example, a user may get promotedor reassigned to a particular security division (e.g., move from onebranch in a first location to a second branch in a second location).Accordingly, the user may be interested in viewing other security eventsand GUI should dynamically adjust the identifiers to be more relevant tothe user.

At block 708, the method 700 includes adjusting the priority value ofthe first security event based on the likelihood. For example, in anaspect, computing device 500, processor 505, memory 510, securityvisualization component 515, and/or adjusting component 580 may beconfigured to or may comprise means for adjusting the priority value ofthe first security event based on the likelihood. For example, if thepriority value of the event is “low,” adjusting component 580 may setthe priority value to “medium.” In some aspects, the adjustment inpriority value is based on the magnitude of the likelihood. For example,if the likelihood is greater than 70%, the priority value should be“high;” if the likelihood is between 40% and 70%, the priority valueshould be “medium;” if the likelihood is less than 40%, the priorityvalue should be “low.”

FIG. 8 is a flowchart illustrating a method 800 of visually adjustingthe security identifier based on priority value, in accordance withexemplary aspects of the present disclosure that may operate inassociation with method 600 and/or 700. Method 800 may be executed bysecurity visualization component 515 subsequent to executing method 700.

In an optional aspect, referring to FIG. 8 , at the block 802, themethod 800 includes assigning a new size and a new color to the firstidentifier based on the adjusted priority value. For example, in anaspect, computing device 500, processor 505, memory 510, securityvisualization component 515, and/or assigning component 535 may beconfigured to or may comprise means for assigning a new size and a newcolor to the first identifier based on the adjusted priority value.

At block 804, the method 800 includes generating, for display on theGUI, the first identifier with the new size and the new color. Forexample, in an aspect, computing device 500, processor 505, memory 510,security visualization component 515, and/or generating component 540may be configured to or may comprise means for generating, for displayon the GUI, the first identifier with the new size and the new color.For example, the first identifier may be transformed from a small whitecircle to a large striped circle shown by priority change 302 in FIG. 3.

FIG. 9 is a flowchart illustrating a method 900 of increasing priorityvalue based on time, in accordance with exemplary aspects of the presentdisclosure that may operate in association with method 600, 700, and/or800.

In an optional aspect, referring to FIG. 9 , at block 902, the method900 includes receiving an indication that the first security event hasnot been resolved for more than a threshold period of time. For example,in an aspect, computing device 500, processor 505, memory 510, securityvisualization component 515, and/or receiving component 520 may beconfigured to or may comprise means for receiving an indication that thefirst security event has not been resolved for more than a thresholdperiod of time.

For example, receiving component 520 may track the amount of time thatan identifier has been presented on the GUI without being resolved. Thethreshold period of time may be linked to the type of event. Certaintypes of events may escalate in urgency if not addressed immediately.For example, detection of smoke may start as a “medium” event, but astime passes by and the amount of smoke increases, the priority valueshould increase.

At block 904, the method 900 includes increasing the priority value ofthe first security event. For example, in an aspect, computing device500, processor 505, memory 510, security visualization component 515,and/or increasing component 585 may be configured to or may comprisemeans for increasing the priority value of the first security event. Forexample, a “smoke detection” type of event may have a threshold of 10minutes. When the identifier for the event is generated and 10 minuteshas elapsed without the event being resolved (e.g., the identifier beingdismissed or selected to execute an action), the priority value of theevent may be increased to “high” from “medium.”

FIG. 10 is a flowchart illustrating a method 1000 of decreasing priorityvalue based on GUI dismissals, in accordance with exemplary aspects ofthe present disclosure that may operate in association with method 600,700, 800, and/or 900.

In an optional aspect, referring to FIG. 10 , at block 1002, the method1000 includes detecting that more than a threshold amount of securityevents of a given type have been dismissed on the GUI. For example, inan aspect, computing device 500, processor 505, memory 510, securityvisualization component 515, and/or detecting component 590 may beconfigured to or may comprise means for detecting that more than athreshold amount of security events of a given type have been dismissedon the GUI. In this case, a dismissal refers to deleting an identifierwithout performing any other actions.

Consider events of the type “authorized entry.” During the morning, 100employees may have entered an office building being monitored via theGUI. Initially the priority value may be “medium” for such events.However, the user of the GUI may dismiss all of the events. Thethreshold amount may be a predetermined value stored in memory 510(e.g., 75). When the amount of dismissals exceeds the threshold amount,the understanding is that the event is not as important or relevant. Toprevent the event from becoming distractions from more urgent events,the events should be made less prominent.

At block 1004, the method 1000 includes decreasing priority values ofsecurity events of the given type. For example, in an aspect, computingdevice 500, processor 505, memory 510, security visualization component515, and/or decreasing component 595 may be configured to or maycomprise means for decreasing priority values of security events of thegiven type.

FIG. 11 is a flowchart illustrating a method 1100 of visually linkingsecurity event identifiers based on event relationships, in accordancewith exemplary aspects of the present disclosure that may operate inassociation with method 600, 700, 800, 900, and/or 1000.

In an optional aspect, referring to FIG. 11 , at block 1102, the method1100 includes determining that a second security event is linked to thefirst security event by cause and effect. For example, in an aspect,computing device 500, processor 505, memory 510, security visualizationcomponent 515, and/or determining component 525 may be configured to ormay comprise means for determining that a second security event islinked to the first security event by cause and effect.

In some aspects, determining component 525 may determine the linkage bydetecting, based on identifier selections historically made on the GUI,that an indication of the second security event has been received afterthe first security event a threshold number of times in a given periodof time. For example, the first security event may be a detection ofsmoke and the second security event may be detection of a fire. Theperiod of time may be 1 minute.

In some aspects, determining component 525 may determine the linkage bydetecting, based on identifier selections historically made on the GUI,that an identifier of the second security event has been selected afterselection of the first identifier of the first security event athreshold number of times in a given period of time. For example, if auser selects smoke detection identifiers and then right after selectsfire detection identifiers throughout the past year at least 20 times,determining component 525 may determine that fire detection identifiersare linked to smoke detection identifiers.

At block 1104, the method 1100 includes generating, for display on theGUI, a visual link that connects identifiers of the first security eventand the second security event, wherein the panel further comprisesinformation about the second security event. For example, in an aspect,computing device 500, processor 505, memory 510, security visualizationcomponent 515, and/or generating component 540 may be configured to ormay comprise means for generating, for display on the GUI, a visual link(e.g., a line) that connects identifiers of the first security event andthe second security event, wherein the panel (e.g., panel 402) furthercomprises information about the second security event.

While the foregoing disclosure discusses illustrative aspects and/orembodiments, it should be noted that various changes and modificationscould be made herein without departing from the scope of the describedaspects and/or embodiments as defined by the appended claims.Furthermore, although elements of the described aspects and/orembodiments may be described or claimed in the singular, the plural iscontemplated unless limitation to the singular is explicitly stated.Additionally, all or a portion of any aspect and/or embodiment may beutilized with all or a portion of any other aspect and/or embodiment,unless stated otherwise.

What is claimed is:
 1. An apparatus for managing security events via agraphical user interface (GUI), comprising: a memory; and a processor incommunication with the memory and configured to: receive an indicationof a first security event occurring in an environment, wherein the firstsecurity event is detected by at least one sensor in the environment;determine a priority value of the first security event based on a typeof the first security event; create a first identifier of the firstsecurity event, wherein the first identifier is a visual icon of a givenshape; assign a size and color to the first identifier of the firstsecurity event based on the priority value; generate, for display on theGUI, the first identifier of the first security event, wherein the GUIis configured to display identifiers of one or more security events in aselectable layout of a plurality of selectable layouts; determine that asecond security event is linked to the first security event by cause andeffect by detecting, based on identifier selections historically made onthe GUI, that an identifier of the second security event has beenselected after selection of the first identifier of the first securityevent a threshold number of times in a given period of time; generate,for display on the GUI, a visual link that connects identifiers of thefirst security event and the second security event; in response toreceiving an indication that the first security event has not beenresolved for more than a threshold period of time in a current session,increase the priority value of the first security event; increasing thesize of the first identifier on the GUI based on the increase in thepriority value; receive a selection of the first identifier; generate,for display, a panel comprising information about the first securityevent and a plurality of actions to address the first security event,wherein the panel further comprises information about the secondsecurity event; receive a selection of an action from the plurality ofactions; and execute the action to address the first security event. 2.The apparatus of claim 1, wherein determining the priority value of thefirst security event based on the type of the first security event theprocessor is further configured to: retrieve the priority value from adatabase comprising a list of types of security events and correspondingpriority values.
 3. The apparatus of claim 1, wherein the processor isfurther configured to: identify a user of the GUI; retrieve a userprofile of the user, wherein the user profile indicates identifierselections historically made by the user on the GUI; determine arelevance of the type of the first security event to the user, whereinthe relevance is a likelihood of the user selecting the first identifierbased on the identifier selections historically made by the user; andadjust the priority value of the first security event based on thelikelihood.
 4. The apparatus of claim 3, wherein the processor isfurther configured to: assign a new size and a new color to the firstidentifier based on the adjusted priority value; and generate, fordisplay on the GUI, the first identifier with the new size and the newcolor.
 5. The apparatus of claim 1, wherein the processor is furtherconfigured to: detect that more than a threshold amount of securityevents of a given type have been dismissed on the GUI; and decreasepriority values of security events of the given type.
 6. The apparatusof claim 1, wherein when determining that the second security event islinked to the first security event by cause and effect the processor isfurther configured to: detect, based on identifier selectionshistorically made on the GUI, that an indication of the second securityevent has been received after the first security event a thresholdnumber of times in a given period of time.
 7. The apparatus of claim 1,wherein the selectable layout organizes the identifiers of the one ormore security events based on at least one of: respective priorityvalue, time of occurrence, or a location of occurrence.
 8. A method formanaging security events via a graphical user interface (GUI),comprising: receiving an indication of a first security event occurringin an environment, wherein the first security event is detected by atleast one sensor in the environment; determining a priority value of thefirst security event based on a type of the first security event;creating a first identifier of the first security event, wherein thefirst identifier is a visual icon of a given shape; assigning a size andcolor to the first identifier of the first security event based on thepriority value; generating, for display on the GUI, the first identifierof the first security event, wherein the GUI is configured to displayidentifiers of one or more security events in a selectable layout of aplurality of selectable layouts; determining that a second securityevent is linked to the first security event by cause and effect bydetecting, based on identifier selections historically made on the GUI,that an identifier of the second security event has been selected afterselection of the first identifier of the first security event athreshold number of times in a given period of time; generating, fordisplay on the GUI, a visual link that connects identifiers of the firstsecurity event and the second security event; in response to receivingan indication that the first security event has not been resolved formore than a threshold period of time in a current session, increasingthe priority value of the first security event; increasing the size ofthe first identifier on the GUI based on the increase in the priorityvalue; receiving a selection of the first identifier; generating, fordisplay, a panel comprising information about the first security eventand a plurality of actions to address the first security event, whereinthe panel further comprises information about the second security event;receiving a selection of an action from the plurality of actions; andexecuting the action to address the first security event.
 9. The methodof claim 8, wherein determining the priority value of the first securityevent based on the type of the first security event further comprises:retrieving the priority value from a database comprising a list of typesof security events and corresponding priority values.
 10. The method ofclaim 8, further comprising: identifying a user of the GUI; retrieving auser profile of the user, wherein the user profile indicates identifierselections historically made by the user on the GUI; determining arelevance of the type of the first security event to the user, whereinthe relevance is a likelihood of the user selecting the first identifierbased on the identifier selections historically made by the user; andadjusting the priority value of the first security event based on thelikelihood.
 11. The method of claim 10, further comprising: assigning anew size and a new color to the first identifier based on the adjustedpriority value; and generating, for display on the GUI, the firstidentifier with the new size and the new color.
 12. The method of claim8, further comprising: detecting that more than a threshold amount ofsecurity events of a given type have been dismissed on the GUI; anddecreasing priority values of security events of the given type.
 13. Themethod of claim 8, wherein determining that the second security event islinked to the first security event by cause and effect furthercomprises: detecting, based on identifier selections historically madeon the GUI, that an indication of the second security event has beenreceived after the first security event a threshold number of times in agiven period of time.
 14. The method of claim 8, wherein the selectablelayout organizes the identifiers of the one or more security eventsbased on at least one of: respective priority value, time of occurrence,or a location of occurrence.
 15. A non-transitory computer-readablemedium storing instructions for managing security events via a graphicaluser interface (GUI), wherein the instructions are executable by aprocessor to: receive an indication of a first security event occurringin an environment, wherein the first security event is detected by atleast one sensor in the environment; determine a priority value of thefirst security event based on a type of the first security event; createa first identifier of the first security event, wherein the firstidentifier is a visual icon of a given shape; assign a size and color tothe first identifier of the first security event based on the priorityvalue; generate, for display on the GUI, the first identifier of thefirst security event, wherein the GUI is configured to displayidentifiers of one or more security events in a selectable layout of aplurality of selectable layouts; determine that a second security eventis linked to the first security event by cause and effect by detecting,based on identifier selections historically made on the GUI, that anidentifier of the second security event has been selected afterselection of the first identifier of the first security event athreshold number of times in a given period of time; generate, fordisplay on the GUI, a visual link that connects identifiers of the firstsecurity event and the second security event; in response to receivingan indication that the first security event has not been resolved formore than a threshold period of time in a current session, increase thepriority value of the first security event; increase the size of thefirst identifier on the GUI based on the increase in the priority value;receive a selection of the first identifier; generate, for display, apanel comprising information about the first security event and aplurality of actions to address the first security event, wherein thepanel further comprises information about the second security event;receive a selection of an action from the plurality of actions; andexecute the action to address the first security event.